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REMARKS 

Applicant has noted the claim renumbering by the Examiner. 

The Examiner has rejected Claims 1-3, 10,12-14, 16-21,28, 30-32,34-36, and 39 under 
35 U.S.C. 103(a) as being unpatentable over Chen et al. (US Patent Number: 5,960,170) in 
further view of Nash (US Patent Number; 6,449,645 Bl). Applicant respectfully disagrees with 
such rejection, especially in view of the amendments made hereinabove. 

Specifically, the Examiner has admitted that Chen does not explicitly suggest applicant's 
claimed "determining whether the risk assessment scan involves an intermediate device coupled 
between the target and the remote source" and "notifying an administrator if it is determined that 
the risk assessment scan involves the intermediate device** (see this or similar, but not identical, 
language in each of the independent claims). 

The Examiner then relies on the following excerpt from Nash to meet such claim 
limitations. 

"Another description/embodiment of the method of the might be 
characterized as a method for detecting ar. illegal use of a packet of 
digitized information. In this case steps include features such as 
installing a first computer routine in a plurality of computers. It is 
generally preferable that the first computer rou-ine does not interfere 
wirh use of the packer of digitized information. This is preferably 
-rue regardless of whether the illegal use is indicated or not. As 
discussed before a first indicia, such as an identification number or 
the like, is associated with the packet of digitized information for 
identifying the packet of digitized information. A second indicia is 
related to each of the plurality of computers. Obviously/ the first and 
second indicia could be formed of one string of computer symbols, two 
strings, or a plurality of strings. However the effect is to determine 
the first and second indicia that are associated as described for 
determining whether the uniquely identified software is found on mere 
than one computer. Another step involves automatically determining 
whether one of the plurality of computers is presently in communication 
with a network of computers, such as might include the Internet or an 
intranet of computers. When the one of the plurality of computers is 
presently in communication with the network of computers, which could 
be the Internet or ar. intranet or both, then automatically sending the 
first indicia and the respective second indicia over the network of 
computers to a second location." (col. 4, lines 1-24) 
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The Examiner then purports that "Nash teaches determining one of the pluralities of 
computers is presently involvefd] (in communication) with a network, of computers." Whether 
this is true or not, it appears that the Examiner is not taking into consideration the full weight of 
applicant's claims. Determining whether a computer is in communication with a network of 
computers in no way suggests "determining whether the risk assessment scan involves an 
intermediate device coupled between the target and the remote source" and "notifying an 
administrator if it is determined that the risk assessment scan involves the intermediate device " 
(emphasis added). 

Only applicant teaches and claims the act of determining whether a risk assessment 
performed between the target and the remote source traverses an intermediate device. 

To establish a prima facie case of obviousness, three basic criteria must be met. First, 
there must be some suggestion or motivation, either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the art, to modify the reference or to 
combine reference teachings. Second, there must be a reasonable expectation of success. 
Finally, the prior art reference (or references when combined) must teach or suggest all the claim 
limitations. The teaching or suggestion to make the claimed combination and the reasonable 
expectation of success must both be found in the prior art and not based on applicant's 
disclosure. In re Vaeck, 947 F.2d 488, 20 USPQ2d 1438 (Fed.Cir.1991). 

Applicant respectfully asserts that at least the third element of the prima facie case of 
obviousness has not been met, since the prior art references, when combined, fail to teach or 
suggest all of the claim limitations, as noted above. A notice of allowance or a specific prior art 
showing of all of applicant's claim limitations, in combination with the remaining claim 
elements, is respectfully requested. 

Nevertheless, despite the paramount differences highlighted above and in the spirit of 
expediting the prosecution of the present application, applicant has amended each of the 
independent claims to include the following subject matter for consideration; 

"wherein additional operations are carried out to improve a risk assessment in view of the 
presence of the intermediate device coupled between the target and the remote source." 
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Thus, applicant has further emphasized the thrust of one embodiment; that is, improving 
a risk assessment in view of the presence of an intermediate device coupled between the target 
and the remote source. Again, a notice of allowance or a specific prior art showing of all of 
applicant's claim limitations, in combination with the remaining claim elements, is respectfully 
requested. 

With respect to the dependent claims, applicant has carefully reviewed the excerpts relied 
upon by the Examiner to reject the same, and has found serious deficiencies in the Examiner's 
application of the prior art. Just by way of example, the Examiner relies on the above excerpt 
from Nash to meet applicant's claimed "wherein a plurality of procedures are utilized to 
determine whether the risk assessment scan involves the intermediate device" (see Claim 3 et 
al.). Such excerpt, however, makes absolutely no mention of risk assessment, let alone using a 
plurality of procedures to determine whether the risk assessment scan involves the intermediate 
device. 

With respect to the subject matter of Claim 10 et al., the Examiner relies on the following 
excerpt from Chen to meet applicant's claimed "wherein at least one of the procedures includes 
transmitting a first request for content to the target utilizing the network, and transmitting a 
second request for a cached version of the content to the target utilizing the network." 

"Once it is determined by the virus detection server that a valid virus 
detection request has been received, the virus detection server 
operates to iteratively detect and treat viruses associated with the 
requester, typically the client. The iterative production of virus 
detection objects allows objects -co be specifically tailored according 
to previously determined conditions and/or conditions discovered as a 
result of the execution of previously produced virus detection objects. 
Specifically, a virus detection object is produced by the virus 
detection server and is transmitted to the client. The virus detection 
object includes an executable program which the client includes a 
corresponding executing engine. Thus, when the client receives the 
virus detection object, it executes the object and produces a result 
that is transmitted back to the virus detection server. The results of 
the execution of the virus detection object are transmitted to the 
virus detection server so that the server can produce additional virus 
detection objects based upon the results of the execution of the 
previous virus detection object or objects." (see col. 3, lines 8-27) 
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procedures further includes determining whether a value of a flag is different for communication 
attempts using at least two ports on the port list" 

"FIG. 5C illustrates the format of an IP network layer {L3) header 506. 
The IP network layer (L3) header 506 includes a source IP address 544, 
a destination IP address 54 6, an EP Version field 522, an EP length 
field 524, Type of Service ("TCS") 526, Total Length 52S, 
identification 530, Flags 532, Fragment Offset 534, Time to Live 
("TTL") 536, Protocol Type 540, Header Checksum 542, Options 548 and 
?ad 550. 

FIG. 5B illustrates the format of an Ethernet data link (L2) header 
504. The Ethernet data link (L2) header 504 includes a destination 
address 514, a source address 516, an optional Virtual Local Area 
Network Identification ( "VLAN ID") field 518 and a length/type field 
520. 

FIG. 5G illustrates the fornat of an I? network layer (L3) header 506. 
The IP network layer (L3) header 506 includes a source IP address 544, 
a destination IP address 546, an IP Version field 522, an IP length 
field 524, Type of Service ("TOS"> 526, Total Length 528, 
identification 530, Flags 532, Fragment Offset 534, Time to Live 
("TTL n ) 536, Protocol Type 540, Header Checksurr. 542, Options 542 and 
Pad 550. 

F;G. 50 illustrates the format of a TCP transport layer <L4) header 
508a. The TCP transport layer {L4) header 508a includes the following 
fields: a TCP source port 552a, a TCP destination port 554a, a sequence 
number 556, an acknowledgment number 558, TCP offset 560, a reserved 
field 562, TCP flags 564, Window 566, TCP header Checksum 568, Urgent 
Pointer 570, Options 572 and TC? pad 574." (see col. 6, lines 18-45) 



Such excerpt, however, merely suggests various formats. This disclosure, in no way, 
suggests any sort of functionality that meets applicant's claims, since there is not even a 
suggestion of applicant's claimed " determining whether a value of a flag is different for 
communication attempts using at least two ports on the port list " as claimed. 

Again, these examples of deficiencies in the Examiner's rejection of the dependent 
claims are merely exemplary and illustrative. Applicant respectfully asserts that at least the third 
element of the prima facie case of obviousness has not been met, since the prior art references, 
when combined, fail to teach or suggest all of the claim limitations, as noted above. A notice of 
allowance or a specific prior art showing of all of applicant's claim limitations, in combination 
with the remaining claim elements, is respectfully requested. 
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In the event a telephone conversation would expedite the prosecution of this application, 
die Examiner may reach the undersigned at (408) 971-2573. For payment of any additional fees 
due in connection with the filing of this paper, the Commissioner is authorized to charge such 
fees to Deposit Account No. 50-1351 (Order No. NAI IPO 1 2/0 U 32.01). 



By:. 



Respectfully subrrrirfed ; 



i—r~ 

Kevin J. Zilka 
Reg. No/^,429 



Date: \\hV°i 



Zilka-Kotab, PC 

P.O.Box 721120 

San Jose, California 95 172-1 120 

Telephone: (408)971-2573 
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